From owner-freebsd-questions Tue Mar 19 9:45:33 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mail.tiscalinet.it (mail-2.tiscalinet.it [195.130.225.148]) by hub.freebsd.org (Postfix) with ESMTP id 8924437B402 for ; Tue, 19 Mar 2002 09:45:27 -0800 (PST) Received: from [217.133.244.77] (217.133.244.77) by mail.tiscalinet.it (5.5.057) id 3C9755CC0000F3E1 for freebsd-questions@freebsd.org; Tue, 19 Mar 2002 18:45:22 +0100 Received: (qmail 4263 invoked by uid 1000); 19 Mar 2002 17:44:36 -0000 Date: Tue, 19 Mar 2002 18:44:35 +0100 From: Francesco Casadei To: "Clark C . Evans" Cc: freebsd-questions@freebsd.org Subject: Re: ipfw / tinydns settings Message-ID: <20020319184435.A4231@goku.kasby> Mail-Followup-To: "Clark C . Evans" , freebsd-questions@freebsd.org References: <20020318212513.A27453@doublegemini.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="VS++wcV0S1rZb1Fb" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020318212513.A27453@doublegemini.com>; from cce@clarkevans.com on Mon, Mar 18, 2002 at 09:25:13PM -0500 X-Operating-System: FreeBSD 4.5-STABLE i386 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --VS++wcV0S1rZb1Fb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Mar 18, 2002 at 09:25:13PM -0500, Clark C . Evans wrote: > Hello. I'm running tinydns on a box with ipfw, > what incantation do I need to allow dns queries > to the box? I have... >=20 > add pass all from any to any via lo0 > add pass udp from any to me 53 keep-state > add pass udp from me to any 53=20 >=20 > Anyway, I read the ipfw manual but I don't=20 > quite grok what's going on; it looks like > the queries are making their way in, but > the response from tinydns is being blocked. =20 > As soon as I put "add pass udp from any to any" > it works... but I did this just to make sure > that it is a ipfw issue. =20 >=20 > Thanks! >=20 > Clark >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message >=20 > end of the original message To allow incoming/outgoing DNS queries I have the following rules in the firewall ruleset file: /sbin/ipfw add check-state /sbin/ipfw add allow udp from any to ${oip} 53 in recv ${oif} keep-state /sbin/ipfw add allow udp from ${oip} to any 53 out xmit ${oif} keep-state ${oip} and ${oif} are respectively the IP address and the name of the output network interface. Francesco Casadei --=20 You can download my public key from http://digilander.iol.it/fcasadei/ or retrieve it from a keyserver (pgpkeys.mit.edu, wwwkeys.pgp.net, ...) Key fingerprint is: 1671 9A23 ACB4 520A E7EE 00B0 7EC3 375F 164E B17B --VS++wcV0S1rZb1Fb Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8l3kDfsM3XxZOsXsRAnIcAKCBhK5VB0a41OuE1+BMExi9ddYSQACfQ8GV 5uBSumRtexFftx9XnYjZmFA= =KHlI -----END PGP SIGNATURE----- --VS++wcV0S1rZb1Fb-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message